I have been trying to install a new certificate for a few days now on Exchange CU12. I have still not had full success. I was able to get it installed on the initial server where I had to generate a new CSR from PowerShell. I could no longer use the GUI for the Certificate Wizard. Those have been completely removed in CU12 per the following article.
I was able to install the certificate and export it properly after much digging and PowerShell Hell. The post for the process is here. It should help when installing a new certificate onto your Exchange Server.
Changes in Exchange Server PowerShell cmdlets and Exchange Admin Center for UNC path inputs (KB5014278)
Exchange Server 2019 Exchange Server 2016
To prevent misuse of UNC paths by attackers, we are removing parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later).
These changes are available in the following latest Exchange Server updates:
Cumulative Update 12 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019
Cumulative Update 23 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016
Changes in Exchange Server cmdlets
Get-AgentTrafficTypeSubscription
- TransportService <service>
- Server <server UNC path>
Change: The parameter Server that takes the UNC path as input is removed from the cmdlet. This restricts usage to the local server on which the cmdlet is run.
Import-ExchangeCertificate
- FileName “<local/UNC path>”
- Password <password>
Change: The FileName parameter that takes the UNC path as input is removed from the cmdlet. To import the certificate that’s stored in another UNC path, you must use the FileData parameter, as shown in following example:
Import-ExchangeCertificate
- FileData ([Byte[]]$(Get-Content -Path “<local or UNC path>” -Encoding byte))
- Password <password>
Export-ExchangeCertificate
- Thumbprint <thumbprint>
- FileName “<local/UNC path>”
- BinaryEncoded
- Password <password>
Change: The FileName parameter that takes the UNC path as input is removed from the cmdlet. To export the certificate to a UNC path, you must use the FileData parameter, as shown in the following example:
- $cert = Export-ExchangeCertificate
- Thumbprint <thumbprint>
- Password <password>
- BinaryEncoded
- Set-Content -Path “<local or UNC path>” -Value $cert.FileData -Encoding byte
New-ExchangeCertificate
- GenerateRequest
- RequestFile “<local/UNC path>”
- SubjectName “<subject>”
- DomainName <domains>
Change: The RequestFile parameter that takes the UNC path as input is removed from the cmdlet. To export the request file to a UNC path, you must use the Set-Content cmdlet, as shown in the following example.
- $request = New-ExchangeCertificate
- GenerateRequest
- SubjectName “<subject>”
- DomainName <domains>
- Set-Content -Path “<local or UNC path>” -Value $request
Get-CalendarDiagnosticLog
- Identity “Jasen Kozma”
- Subject “Budget Meeting”
- ExactMatch $true
- LogLocation “C:\My Documents\Calendar Diagnostic Export”
Change: The LogLocation parameter that takes the UNC path as input is removed from the cmdlet. This restricts the usage to the local server on which the cmdlet is run.
Get-CalendarDiagnosticAnalysis
- LogLocation “C:\My Documents\Calendar Diagnostic Export”
- OutputAs HTML
| Set-Content -Path <local/UNC path>
Change: The LogLocation parameter that takes the UNC path as input is removed from the cmdlet. You must provide Calendar Diagnostic logs through the CalendarLogs parameter, as shown in the following example:
$calitems = Get-CalendarDiagnosticLog -Identity <mailbox user> -Subject “Budget Meeting”
Get-CalendarDiagnosticAnalysis
- CalendarLogs $calitems
- OutputAs HTML
| Set-Content -Path <local/UNC path>
Exchange Admin Center changes
Remove UNC path input for storing Virtual Directory settings during reset
When you reset a virtual directory, the Exchange Control Panel (ECP) asks for a UNC path that it can copy the current settings to. This process is changed. ECP will no longer allow any UNC path input here.
Instead, ECP will ask for the file name to export the settings from the user. This information will be stored in the ../V15/Config/Backup folder on the server through which ECP is accessed. If the folder doesn’t exist, it will be created by ECP.
Removal of Import & Export Exchange Certificate
In the previous versions of Exchange Server, there was an option to import or export the Exchange certificate through ECP.
This option is removed. You must now use a PowerShell cmdlet to import or export the Exchange certificate.
Removal of Complete Exchange Certificate Request
In previous versions of Exchange Server, there was an option to complete the Exchange certificate by using ECP. This prompted admins to provide UNC path input.
This option is removed from ECP. You must now use a PowerShell cmdlet to do this.
Removal of New Exchange Certificate Request from CA
In previous version of Exchange Server, there was an option to request a new Exchange certificate from the certificate authority (CA) by using ECP. This prompted admins to provide UNC path input.
This option is removed from ECP. You must now use a PowerShell cmdlet to do this.
Removal of Renew Exchange Certificate Request
In Previous version of Exchange Server, there was an option to Renew Exchange Certificate Request using ECP which led to admins providing UNC path input.
This option is removed from ECP. You must now use a PowerShell cmdlet to do this.
One thought on “Deprecation of Certificate Tools in Exchange Admin Center GUI”
Comments are closed.